Additional Materials:

Contact:

The Defense Contract Audit Agency (DCAA) has a critical role in contract oversight. DCAA audits are intended to help provide reasonable assurance that defense company policies for safeguarding assets and complying with contractual requirements are fulfilled. Defense companies also maintain their own internal audit departments to monitor policies, procedures, and business systems related to their government contracts. GAO was asked to assess the role of defense companies' internal audit departments and their ability to provide DCAA with information on their internal controls. GAO assessed (1) selected defense companies' adherence to standards for internal audits, (2) the extent to which those companies' internal audit reports address defense contract management internal controls, and (3) DCAA's ability to examine internal audits and use information from these audits. GAO reviewed a nongeneralizable sample of seven major defense companies including the five largest defense contractors and two smaller contractors; analyzed information on their 2008 and 2009 internal audits, which were the latest available when GAO began its assessment; and reviewed DCAA's ability to examine and use the audits in carrying out its oversight.

The seven internal audit departments GAO reviewed generally adhered to Institute of Internal Auditors standards for organizing their internal audit departments. These standards include maintaining independence and having a proficient workforce. For example, all seven companies are organized so that the internal audit department is independent of company management. For performing individual audits, the majority of the companies followed the standards in areas such as planning the audit work and obtaining evidence. In its examination of evidentiary workpapers, GAO found documentation of the internal auditors' testing to show the level of compliance with company policies. The selected companies' internal audit reports cover a broad spectrum of policies, business systems, and programs that are relevant to DCAA audits. Each company performs audits with scope and objectives specific to that company and its individual businesses, such as audits about defense programs or audits that review a company's accounting system. In addition, some audits are common across companies, such as reviews of purchase card transactions or controls over information technology. In 2008 and 2009, the seven companies conducted 1,125 internal audits. GAO determined that of these, 520 were related to the defense contract control environment and one or more areas reviewed by DCAA, such as overall internal control functions and specific business systems. DCAA's access to and use of internal audit information from reports and workpapers is limited, in part, because of company interpretations of court decisions concerning DCAA's access to documents. Consequently, the seven companies GAO reviewed have developed differing policies and procedures for providing internal audit information to DCAA but ultimately provide DCAA access to internal audit reports and workpapers on a case-by-case basis. (1) Six of the companies have policies that provide for DCAA access to at least some internal audits reports upon request. Of the six, four have policies for providing access to supporting workpapers for their internal audits upon request. The other two companies have policies of not providing DCAA with access to supporting workpapers. (2) One company has a policy of not providing DCAA with access to internal audits or workpapers. DCAA's use of its access authority has been addressed in two court decisions. The courts held that DCAA does not have unlimited power to demand access to all internal company materials, but they also held that DCAA may demand access to materials relevant to its audit responsibilities. However, DCAA does not generally track its requests or denials for internal audit reports. GAO found that the number of DCAA requests for internal audit reports is small relative to the number of internal audits GAO identified as relevant to defense contract oversight. In explaining why few reports are requested, DCAA auditors noted obstacles such as not being able to identify internal audits relevant to their work and uncertainty as to how useful those reports could be. By not routinely obtaining access to relevant company internal audits, DCAA auditors are hindered in their ability to effectively plan work and meet auditing standards for evaluating internal controls. GAO recommends that DCAA take steps to facilitate access to internal audits and assess periodically whether other actions are needed. DOD generally agreed to implement GAO's recommendations but expressed skepticism that this alone would fully ensure access to internal audits.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: In August 2012, DCAA issued a revision to the Contract Audit Manual (CAM 4-202.c(2)) to implement this recommendation. The revision specifies that the DCAA Contract Audit Coordinator offices and Field Audit Offices (FAO) must establish a process and a central point of contact to obtain and monitor DCAA's access to and use of internal audits. The process is to include a method for tracking requests and the contractor's dispositions of these requests. The CAM has also been revised to include the specific duties of the central point of contact and to outline the process auditors and supervisors should follow to access internal audits as a part of their ongoing audits. A memorandum announcing the changes states that for non-major contractors the process is not mandatory but acknowledges that the internal audit reports are still useful and cites procedures to follow. Further, the memorandum states that when access is denied, the responsible supervisor will implement access to records procedures per DCAA Instruction 7640.17 dated December 2008 and states that if the efforts prove unsuccessful the Regional Director should review the matter and determine if a subpoena should be requested.

Recommendation: To increase DCAA's access to and use of internal audits, the Secretary of Defense should direct the Director of DCAA to ensure that DCAA's central point of contact for each company coordinates issues pertaining to internal audits. For some companies, this would be the Contract Audit Coordinator. For companies without a Contract Audit Coordinator, a point of contact would need to be designated except when DCAA officials have determined that a company does not have an internal audit function that produces reports that may be relevant to DCAA's audit responsibilities. Coordination responsibilities should include (1) obtaining sufficient information from the companies on their internal audit reports so DCAA auditors can better identify and request relevant audit reports and workpapers and (2) tracking DCAA auditors' requests for access to internal audit reports and workpapers and the companies' disposition of those requests.

Agency Affected: Department of Defense

Status: Closed - Implemented

Comments: In August 2012, DCAA issued a revision to the Contract Audit Manual (CAM 4-202.c(2)) to implement this recommendation. The revision specifies that the DCAA Contract Audit Coordinator offices and Field Audit Offices (FAO) must establish a process and a central point of contact to obtain and monitor DCAA's access to and use of internal audits. The process is to include a method for tracking requests and the contractor's dispositions of these requests. The CAM has also been revised to include the specific duties of the central point of contact and to outline the process auditors and supervisors should follow to access internal audits as a part of their ongoing audits. A memorandum announcing the changes states that when access is denied, the responsible supervisor will implement access to records procedures per DCAA Instruction 7640.17 dated December 2008 and states that if the efforts prove unsuccessful the Regional Director should review the matter and determine if a subpoena should be requested.

Recommendation: To increase DCAA's access to and use of internal audits, the Secretary of Defense should direct the Director of DCAA to periodically assess information compiled by the central points of contact regarding the number of requests for internal audits and their disposition to determine whether additional actions are needed. Such additional actions could include senior level engagement with company officials to change company access policies or, as warranted, the issuance of subpoenas.

Agency Affected: Department of Defense

Status: Closed - Implemented

Comments: In addition to issuing the August 2012 guidance regarding access to internal audits, training related to accessing contractors' internal audit reports will be presented at DCAA's Semi-annual Field Audit Office Assistant for Quality Workshop scheduled for early 2013 with training slides to be made available to attendees for additional dissemination at Field Office staff conferences.

Recommendation: To increase DCAA's access to and use of internal audits, the Secretary of Defense should direct the Director of DCAA to reaffirm with DCAA staff through guidance and training how and under what circumstances company internal audit reports can be accessed and used to improve the efficiency of audit planning and execution.